Compliance Requirements under the DPDP Act, 2023

Introduction  

Data has become the centre of innovation and business. For any successful business to thrive, data is necessary. The latest technologies, from Artificial Intelligence to the Metaverse, all require data to function efficiently. With the abundance of data available online and the countless data extracted from individuals, the question of the importance of Privacy has been raised time and again around the world. The European Union attempted to answer this problem of Data Privacy through the General Data Protection Regulation (GDPR) and several other countries have adopted various legislations in pursuance of Data Privacy. But what about Data Privacy in India?

The Digital Personal Data Protection Bill was passed by the Lok Sabha on August 7 and in Rajya Sabha on August 9. Subsequently, President Draupadi Murmu gave her assent to the Digital Personal Data Protection Bill on August 11, 2023. This gave India specific legislation that addresses the protection of a citizen’s data. Now that the law has been enacted, the government will initiate the rule-making process for the DPDP Law. This Act has the power to drastically impact businesses and organizations in India and outside. The Act consists of heavy compliance requirements for businesses and failure to comply with the Act can result in fines up to Rs. 250 Crores. In this blog, we shall examine the applicability of the Act and break down the complexities of the compliance requirements under the DPDPA for businesses.

Applicability of the DPDPA

Before diving into the complexities of the new DPDPA, it is essential to determine the applicability of the Act and whether your business can be affected by the new Act. This Act shall apply to the processing of Personal Data in the territory of India. The term ‘Personal Data’ is defined under the Act as any data about an individual who is identifiable by or about such data.

Similar to the previous draft version of the bill, the DPDPA shall apply to the processing of Personal Data in the territory of India. However, it is important to highlight that the Personal Data has to be either collected in a Digital Form or must be subsequently digitized if collected in a non-digital form. Hence, the Act shall apply to Personal Data in the Digital form only.

Additionally, the applicability even extends beyond extra-territorially wherein the Act can apply to the processing of Personal Data irrespective of the location of the processing provided that the processing is about any activity offering goods or services to Data Principals within the territory of India.

The applicability of this Act is very large and has the power to impact several businesses in India. Hence, it is becoming increasingly important for businesses to be aware of the compliances under the bill.

Business Compliance under the DPDP Act 2023

Chapter II of the DPDP Act 2023 outlines the responsibilities of a Data Fiduciary. In this context, a Data Fiduciary is defined as an individual or entity that, independently or in collaboration with others, determines the purpose and methods of processing personal data. Consequently, businesses or organizations that control the processing of personal data fall under this category, and they must adhere to several obligations as stipulated by the new Act.

The Basis for Processing Personal Data

Section 5 and 6 of the DPDP Act 2023 acknowledges the processing of Personal Data based on the Data Principal’s Grounds of Consent and Deemed Consent, provided such processing aligns with lawful purposes outlined within the Bill.

Obligations concerning Notice and Consent of Data Principal

A request for Personal Data necessitates an Itemized Notice under Section 5 containing a clear description of the personal data and purpose, expressed in plain and comprehensible language. Concurrently, the contact information of a Data Protection Officer (DPO) or an authorized representative must be furnished to facilitate Data Principals’ exercise of rights. Section 6 mandates that Consent granted must be voluntary, specific, informed, and unambiguous, and it can be managed, reviewed, or revoked via a Consent Manager designated by the Data Fiduciary.

Responsibilities involving legitimate uses

Section 7 allows Data Fiduciaries can process personal data under the umbrella of “legitimate uses”, including instances where the Data Principal has willingly provided personal data for legal compliance, benefiting the Principal, adhering to court orders, medical emergencies, safety during disasters, or employment-related purposes.

Accountability on Behalf of the Data Processor or Another Data Fiduciary

The DPDP Bill 2023, as per Section 8(5), allocates responsibility for compliance with the Data Fiduciary even in cases where activities are undertaken by a Data Processor or another Data Fiduciary on the Data Fiduciary’s behalf.

Mandatory Standards for Processing

Section 8 mandates that Data Fiduciaries ensure the data processed, either directly or indirectly, adheres to completeness, accuracy, and consistency standards.

Safeguarding Personal Data and Addressing Data Breaches

The Act compels Data Fiduciaries to implement appropriate security measures and safeguards to prevent data breaches. In case of a violation, the Data Fiduciary must notify the Data Protection Board and the affected individuals.

Effective Grievance Resolution

By Section 8(10), Data Fiduciaries must publish contact details for a Data Protection Officer or authorized representative to facilitate effective grievance redressal mechanisms for Data Principals.

Child Data Processing Obligations

When processing the personal data of children, Data Fiduciaries will be subjected to additional obligations under Section 9, including obtaining parental Consent and refraining from monitoring a child’s behaviour.

Significant Data Fiduciary Requirements

The Central Government holds the authority to classify certain Fiduciaries as Significant Data Fiduciaries based on specific criteria, imposing additional obligations under Section 10, like the mandatory appointment of a DPO, Data Auditor, periodic data protection assessments, audits, and other prescribed measures.

Cross-Border Data Transfer Regulations

Section 13 of the Act allows Data Fiduciaries to transfer data across borders, provided that the Central Government notifies them of no restrictions.

The DPDP Act 2023 places a range of responsibilities on Data Fiduciaries, as outlined above. These obligations could significantly impact business operations. Enterprises must allocate resources to comply with these regulations by appointing a DPO, implementing adequate safeguards, and more. Additionally, the Act imposes substantial regulatory penalties on Data Fiduciaries for violations, potentially placing a significant financial burden on businesses.

Penalties under the DPDP Bill 2023

Penalties under the DPDP Act 2023 are imposed by the Data Protection Board of India (DPB) which is established under the same Act. The Role of the board is to ensure compliance with the Act and protect the rights of Data Principals. The DPB handles complaints and violations of the Act and is vested with the power to impose fines on any offender.

Upon receipt of information on any Breach or Non-Compliance, the Board conducts a thorough assessment to determine whether there are substantial grounds to initiate an investigation. If the Board concludes that the complaint is valid and significant, it proceeds to launch an inquiry into the matter. Furthermore, the Board is also authorized to summon and question witnesses, inspect data and documents, and take necessary actions to conduct a comprehensive investigation.

The Board has the power to impose fines where a significant breach occurs and the severity and categorisation of the fines are outlined in the Act’s Schedule based on the nature of the offence. The maximum penalties for different types of breaches are as follows:

Conclusion

The new DPDP Act 2023 is highly regarded as an important piece of legislation that can transform the entire Landscape of Data Privacy. Safeguarding Privacy has become a paramount concern for authorities and the passing of the new DPDP Act 2023 demonstrates India’s stance towards the assurance of Data Privacy. The establishment of the DPB helps assure that the Act will be implemented effectively and that businesses will comply with the provisions of the Act. However, compliance with the new Act has brought with it several challenges for businesses. However, as businesses move towards compliance, emphasis will be laid on a Privacy-centric ecosystem with heightened cultivation of Digital Trust. Businesses will have to adapt to the new Act which will ultimately help lay the foundation for trust amongst consumers. In this ever-evolving era of technology, Data Privacy will come a long way in building consumer trust and ensuring the protection of Data Online.

We understand that grappling with the demands of the new law might present challenges. However, it’s important to note that our skilled Privacy Experts and Consultants can aid you in complying with its requirements.

If your organization requires expert assistance to understand these privacy regulations, remember that Tsaaro Consulting is here for you. Our Privacy experts provide the guidance you seek. You can contact us at info@tsaaro.com.